cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1095
Views
0
Helpful
5
Replies

ISE Passive ID load

gacs
Cisco Employee
Cisco Employee

Hi Team, 

 

Our customer would like to see the Passive ID service generated load on ISE-PIC for apps. 10,000 users on:  

- Active Directory

- ISE 

- Network Traffic

 

Do we have any tangible information regarding this question?

Thank You!

Best regards, Gyorgy

1 Accepted Solution

Accepted Solutions

On your second inquiry, please see Required Permissions when AD User not in Domain Admin Group

Regarding loads on the domain controllers, here is from our engineering team:

CPU load on Domain controller is proportional to filters that are used on domain controller by subscribed clients. ISE is currently uses very lightweight and optimized filters, so the average additional load that is usually seen on customer's domain controllers is 5-10%.

Do note the known issues -- CSCvh86466 and, if using PIC agent, CSCvm83091

In case of significant high load on domain controllers after the integration, please do work Microsoft and Cisco TAC. WMIseries might be of interest. Potentially, forward the security events to a member server and monitor on the member server instead.

 

View solution in original post

5 Replies 5

Timothy Abbott
Cisco Employee
Cisco Employee
Hi,
Can you please clarify the question? ISE-PIC can support up to 300K user to IP mappings with the proper licensing. The same is true with ISE and base licensing.

Regards,
-Tim

Hi Tim, 

 

Thank you! This part is clear.

 

Our customer would like to see if they deploy the Passive ID service, what it means in additional load point of view on: 

 - Active Directory (CPU usage, for example)

 - ISE

 - Network traffic (additional kbps caused by this Passive ID)

 

Regarding ISE:  Since ISE was tested for the specified concurrent endpoints including this service as well, the load is negligible. 

 

Thank you!

Best regards, Gyorgy

 

Surendra
Cisco Employee
Cisco Employee
All of those parameters are completely dependent on the customer’s environment. Number of endpoints, number of domain controllers, user events logged, number of applications that request for TGTs etc. No deployment is identical when it comes to passive-ID. Only way to know is by implementing and testing it.

Hello,

 

Unfortunately it is not a technical answer what we could accept from Cisco. We would like to understand what could cause an extra load to the domain controllers. What and it works under the hood. And also we would like to understand how this equation works. If the load comes what we should suggest to the customer?

For example:

- add new domain controllers to their system?

- migrate the domain controller to a specific level or patch it?

- any good suggestion?

Testing and just failing and leaving is not an option. Sorry.

Our second issue is after we joined the ISE to the AD and then selected the domain controller,  what is the minimum privilege what required for the domain user to access WMI? Domain admin of course working fine how ever customers does not provide this kind of privilege in their production environment. We have not found any detail about the WMI admin user privileges in AD? Please share these information with us.

 

Thank you,

Gabor

On your second inquiry, please see Required Permissions when AD User not in Domain Admin Group

Regarding loads on the domain controllers, here is from our engineering team:

CPU load on Domain controller is proportional to filters that are used on domain controller by subscribed clients. ISE is currently uses very lightweight and optimized filters, so the average additional load that is usually seen on customer's domain controllers is 5-10%.

Do note the known issues -- CSCvh86466 and, if using PIC agent, CSCvm83091

In case of significant high load on domain controllers after the integration, please do work Microsoft and Cisco TAC. WMIseries might be of interest. Potentially, forward the security events to a member server and monitor on the member server instead.

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: